GitLab group visibility changed to public

gitlab

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Goal

Detect when a GitLab group visibility changes from private to public.

Strategy

This rule monitors GitLab audit logs for changes indicated by group_visibility_level_updated.

An unintended change to public visibility can allow valuable information about the GitLab group and associated repositories to be viewed by a potential attacker.

Triage and response

  1. Determine whether the change{{@custom_message}} made by {{@usr.name}} is expected.
  2. If the change was not authorized or unexpected, begin your organization’s incident response process and investigate.